Where to Place a Remediation Server
Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista
The location of remediation servers on your network depends on the enforcement methods that you use.
In an IPsec enforcement design, remediation servers are positioned based on a logical, rather than physical, network design. Remediation servers must be placed on the IPsec logical boundary network so that they are available to noncompliant NAP clients. The IPsec boundary policy requests, but does not require, authentication on inbound connections. When you apply this policy to remediation servers, they can communicate with noncompliant NAP client computers that do not have a health certificate. Remediation servers are issued a NAP exemption certificate, so that they can freely communicate with NAP client computers on the secure logical network.
The addition of remediation servers to remediation server groups in the NPS console does not affect access to remediation servers in an IPsec enforcement design.
NAP with 802.1X enforcement can restrict noncompliant client access through the use of an access control list (ACL) or by placing computers on a restricted VLAN. Remediation server placement is different, depending on which of these methods are used. If your access device supports the use of both methods, you can also combine VLAN and ACL restriction.
The addition of remediation servers to remediation server groups in the NPS console does not affect access to remediation servers in an 802.1X enforcement design.
802.1X enforcement with VLANs
In an 802.1X enforcement design where VLANs are used to restrict the access of noncompliant client computers, remediation servers must be accessible from the restricted access VLAN. This can be accomplished by placing remediation servers on the restricted VLAN only. You can also allow access to remediation servers through inter-VLAN routing. A remediation server that is placed on the restricted VLAN might also be accessible from other VLANs through the use of multi-homing or by placing the server on a trunking connection with access to multiple VLANs.
802.1X enforcement with ACLs
In an 802.1X enforcement design where ACLs are used to restrict access of noncompliant client computers, remediation servers and noncompliant NAP clients can both be placed on the corporate VLAN. Access to the corporate network and remediation servers is restricted on a per-port, per-address, or per-network basis.
In a VPN enforcement design, remediation servers can be placed on the corporate network or on a perimeter network. Limited access to corporate resources, such as remediation servers, is provided by IP packet filters that are applied to the VPN connection.
The addition of remediation servers to remediation server groups in the NPS console is one way to provide access to remediation servers in a VPN enforcement design. You can also provide access by configuring IP filters in network policy.
If no remediation server groups or IP filters are configured in noncompliant network policy, full network access is granted to noncompliant NAP client computers.
In a DHCP enforcement design, remediation servers can be placed on the corporate network. The access of noncompliant computers is limited automatically to the DHCP NAP enforcement server and any remediation servers that you specify.
To provide noncompliant clients with access to remediation servers, configure remediation server groups in the NPS console. Noncompliant client computers will receive classless static host routes that can be used to access remediation servers. If a remediation server is located on a different subnet from noncompliant computers, the classless route is built using the 003 Router DHCP option from the default NAP class.
Do not add the DHCP NAP enforcement server to a remediation server group. Noncompliant client computers are granted access to this server automatically.